Update auth config and README (GoogleCloudPlatform#805)

liminw · Jon Wayne Parrott · commit 002f288cd41f · 2017-02-14T16:54:19.000-08:00
* Use 'security' directive instead of 'x-security'. Also add 'x-google'
prefix to the existing auth swagger extensions.

* Minor fixes.
diff --git a/appengine/flexible/endpoints/README.md b/appengine/flexible/endpoints/README.md
@@ -72,7 +72,7 @@ The JWT client demonstrates how to use a service account to authenticate to endp
 
 To use the service account for authentication:
 
-1. Update the `google_jwt`'s `x-jwks_uri` in `openapi.yaml` with your service account's email address.
+1. Update the `google_jwt`'s `x-google-jwks_uri` in `openapi.yaml` with your service account's email address.
 2. Redeploy your application.
 
 Now you can use the JWT client to make requests to the API:
@@ -91,7 +91,7 @@ The ID Token client demonstrates how to use user credentials to authenticate to
 
 To use the client ID for authentication:
 
-1. Update the `/auth/info/googleidtoken`'s `audiences` in `openapi.yaml` with your client ID.
+1. Update the `google_id_token`'s `x-google-audiences` in `openapi.yaml` with your client ID.
 2. Redeploy your application.
 
 Now you can use the client ID to make requests to the API:
@@ -106,7 +106,7 @@ We refer to the project that serves API requests as the server project. You also
 
 To use the App Engine default service account for authentication:
 
-1. Update the `gae_default_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your client project ID.
+1. Update the `gae_default_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your client project ID.
 2. Redeploy your server application.
 3. Update clients/service_to_service_gae_default/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
 4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
@@ -137,7 +137,7 @@ Google API python client library should have already been installed under 'lib'
 
 To use the client for authentication:
 
-1. Update the `google_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your service account email.
+1. Update the `google_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your service account email.
 2. Redeploy your server application.
 3. Update clients/service_to_service_non_default/main.py by replacing 'YOUR-SERVICE-ACCOUNT-EMAIL', 'YOUR-SERVER-PROJECT-ID' and 'YOUR-CLIENT-PROJECT-ID'
 with your service account email, your server project ID, and your client project ID, respectively.
diff --git a/appengine/flexible/endpoints/openapi.yaml b/appengine/flexible/endpoints/openapi.yaml
@@ -43,22 +43,10 @@ paths:
           description: "Authentication info."
           schema:
             $ref: "#/definitions/authInfoResponse"
-      x-security:
-        - google_jwt:
-            audiences:
-            # This must match the "aud" field in the JWT. You can add multiple
-            # audiences to accept JWTs from multiple clients.
-            - "echo.endpoints.sample.google.com"
-        - gae_default_service_account:
-            audiences:
-            # This must match the "aud" field in the JWT. You can add multiple
-            # audiences to accept JWTs from multiple clients.
-            - "echo.endpoints.sample.google.com"
-        - google_service_account:
-            audiences:
-            # This must match the "aud" field in the JWT. You can add multiple
-            # audiences to accept JWTs from multiple clients.
-            - "echo.endpoints.sample.google.com"
+      security:
+      - google_jwt: []
+      - gae_default_service_account: []
+      - google_service_account: []
   "/auth/info/googleidtoken":
     get:
       description: "Returns the requests' authentication information."
@@ -70,12 +58,8 @@ paths:
           description: "Authentication info."
           schema:
             $ref: "#/definitions/authInfoResponse"
-      x-security:
-      - google_id_token:
-          audiences:
-          # Your OAuth2 client's Client ID must be added here. You can add
-          # multiple client IDs to accept tokens from multiple clients.
-          - "YOUR-CLIENT-ID"
+      security:
+      - google_id_token: []
   "/auth/info/firebase":
     get:
       description: "Returns the requests' authentication information."
@@ -87,10 +71,8 @@ paths:
           description: "Authentication info."
           schema:
             $ref: "#/definitions/authInfoResponse"
-      x-security:
-      - firebase:
-          audiences:
-          - "YOUR-PROJECT-ID"
+      security:
+      - firebase: []
 
 definitions:
   echoMessage:
@@ -104,14 +86,12 @@ definitions:
       email:
         type: "string"
 
-# [START securityDef]
 securityDefinitions:
   # This section configures basic authentication with an API key.
   api_key:
     type: "apiKey"
     name: "key"
     in: "query"
-# [END securityDef]
   # This section configures authentication using Google API Service Accounts
   # to sign a json web token. This is mostly used for server-to-server
   # communication.
@@ -120,9 +100,11 @@ securityDefinitions:
     flow: "implicit"
     type: "oauth2"
     # This must match the 'iss' field in the JWT.
-    x-issuer: "jwt-client.endpoints.sample.google.com"
+    x-google-issuer: "jwt-client.endpoints.sample.google.com"
     # Update this with your service account's email address.
-    x-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
+    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
+    # This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
+    x-google-audiences: "echo.endpoints.sample.google.com"
   # This section configures authentication using Google App Engine default
   # service account to sign a json web token. This is mostly used for
   # server-to-server communication.
@@ -131,9 +113,10 @@ securityDefinitions:
     flow: "implicit"
     type: "oauth2"
     # Replace YOUR-CLIENT-PROJECT-ID with your client project ID.
-    x-issuer: "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
-    # Replace YOUR-CLIENT-PROJECT-ID with your client project ID.
-    x-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
+    x-google-issuer: "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
+    # Replace YOUR-CLIENT-PROJECT-ID with your client project ID
+    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
+    x-google-audiences: "echo.endpoints.sample.google.com"
   # This section configures authentication using a service account
   # to sign a json web token. This is mostly used for server-to-server
   # communication.
@@ -142,22 +125,27 @@ securityDefinitions:
     flow: "implicit"
     type: "oauth2"
     # Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
-    x-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
+    x-google-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
     # Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
-    x-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
+    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
+    # This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
+    x-google-audiences: "echo.endpoints.sample.google.com"
   # This section configures authentication using Google OAuth2 ID Tokens.
   # ID Tokens can be obtained using OAuth2 clients, and can be used to access
   # your API on behalf of a particular user.
   google_id_token:
     authorizationUrl: ""
     flow: "implicit"
     type: "oauth2"
-    x-issuer: "accounts.google.com"
-    x-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
+    x-google-issuer: "accounts.google.com"
+    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
+    # Your OAuth2 client's Client ID must be added here. You can add multiple client IDs to accept tokens form multiple clients.
+    x-google-audiences: "YOUR-CLIENT-ID"
   # This section configures authentication using Firebase Auth.
   firebase:
     authorizationUrl: ""
     flow: "implicit"
     type: "oauth2"
-    x-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
-    x-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+    x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
+    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+    x-google-audiences: "YOUR-PROJECT-ID"
diff --git a/endpoints/getting-started/README.md b/endpoints/getting-started/README.md
@@ -67,7 +67,7 @@ The JWT client demonstrates how to use a service account to authenticate to endp
 
 To use the service account for authentication:
 
-1. Update the `google_jwt`'s `x-jwks_uri` in `openapi.yaml` with your service account's email address.
+1. Update the `google_jwt`'s `x-google-jwks_uri` in `openapi.yaml` with your service account's email address.
 2. Redeploy your application.
 
 Now you can use the JWT client to make requests to the API:
@@ -86,7 +86,7 @@ The ID Token client demonstrates how to use user credentials to authenticate to
 
 To use the client ID for authentication:
 
-1. Update the `/auth/info/googleidtoken`'s `audiences` in `openapi.yaml` with your client ID.
+1. Update the `google_id_token`'s `x-google-audiences` in `openapi.yaml`with your client ID.
 2. Redeploy your application.
 
 Now you can use the client ID to make requests to the API:
@@ -101,7 +101,7 @@ We refer to the project that serves API requests as the server project. You also
 
 To use the App Engine default service account for authentication:
 
-1. Update the `gae_default_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your client project ID.
+1. Update the `gae_default_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your client project ID.
 2. Redeploy your server application.
 3. Update clients/service_to_service_gae_default/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
 4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
@@ -132,7 +132,7 @@ Google API python client library should have already been installed under 'lib'
 
 To use the client for authentication:
 
-1. Update the `google_service_account`'s `x-issuer` and `x-jwks_uri` in `openapi.yaml` with your service account email.
+1. Update the `google_service_account`'s `x-google-issuer` and `x-google-jwks_uri` in `openapi.yaml` with your service account email.
 2. Redeploy your server application.
 3. Update clients/service_to_service_non_default/main.py by replacing 'YOUR-SERVICE-ACCOUNT-EMAIL', 'YOUR-SERVER-PROJECT-ID' and 'YOUR-CLIENT-PROJECT-ID'
 with your service account email, your server project ID, and your client project ID, respectively.
@@ -155,10 +155,8 @@ The client project is running Google App Engine standard application.
 
 To use the client for authentication:
 
-1. Update the `google_id_token`'s audiences, replace `YOUR-SERVER-PROJECT-ID` with your server project ID.
-2. Redeploy your server application.
-3. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
-4. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
+1. Update clients/service_to_service_google_id_token/main.py, replace 'YOUR-CLIENT-PROJECT-ID' and 'YOUR-SERVER-PROJECT-ID' with your client project ID and your server project ID.
+2. Upload your application to Google App Engine by invoking the following command. Note that you need to provide project ID in the command because there are two projects (server and client projects) here and gcloud needs to know which project to pick.
 ```bash
 $ gcloud app deploy app.yaml --project=YOUR-CLIENT-PROJECT-ID
 ```
diff --git a/endpoints/getting-started/openapi.yaml b/endpoints/getting-started/openapi.yaml
@@ -45,22 +45,10 @@ paths:
           description: "Authentication info."
           schema:
             $ref: "#/definitions/authInfoResponse"
-      x-security:
-        - google_jwt:
-            audiences:
-            # This must match the "aud" field in the JWT. You can add multiple
-            # audiences to accept JWTs from multiple clients.
-            - "echo.endpoints.sample.google.com"
-        - gae_default_service_account:
-            audiences:
-            # This must match the "aud" field in the JWT. You can add multiple
-            # audiences to accept JWTs from multiple clients.
-            - "echo.endpoints.sample.google.com"
-        - google_service_account:
-            audiences:
-            # This must match the "aud" field in the JWT. You can add multiple
-            # audiences to accept JWTs from multiple clients.
-            - "echo.endpoints.sample.google.com"
+      security:
+      - google_jwt: []
+      - gae_default_service_account: []
+      - google_service_account: []
   "/auth/info/googleidtoken":
     get:
       description: "Returns the requests' authentication information."
@@ -72,13 +60,8 @@ paths:
           description: "Authentication info."
           schema:
             $ref: "#/definitions/authInfoResponse"
-      x-security:
-      - google_id_token:
-          audiences:
-          # Your OAuth2 client's Client ID must be added here. You can add
-          # multiple client IDs to accept tokens from multiple clients.
-          - "YOUR-CLIENT-ID"
-          - "YOUR-SERVER-PROJECT-ID@appspot.gserviceaccount.com"
+      security:
+      - google_id_token: []
   "/auth/info/firebase":
     get:
       description: "Returns the requests' authentication information."
@@ -90,10 +73,8 @@ paths:
           description: "Authentication info."
           schema:
             $ref: "#/definitions/authInfoResponse"
-      x-security:
-      - firebase:
-          audiences:
-          - "YOUR-PROJECT-ID"
+      security:
+      - firebase: []
 
 definitions:
   echoMessage:
@@ -107,14 +88,12 @@ definitions:
       email:
         type: "string"
 
-# [START securityDef]
 securityDefinitions:
   # This section configures basic authentication with an API key.
   api_key:
     type: "apiKey"
     name: "key"
     in: "query"
-# [END securityDef]
   # This section configures authentication using Google API Service Accounts
   # to sign a json web token. This is mostly used for server-to-server
   # communication.
@@ -126,6 +105,8 @@ securityDefinitions:
     x-google-issuer: "jwt-client.endpoints.sample.google.com"
     # Update this with your service account's email address.
     x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
+    # This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
+    x-google-audiences: "echo.endpoints.sample.google.com"
   # This section configures authentication using Google App Engine default
   # service account to sign a json web token. This is mostly used for
   # server-to-server communication.
@@ -137,6 +118,8 @@ securityDefinitions:
     x-google-issuer: "YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
     # Replace YOUR-CLIENT-PROJECT-ID with your client project ID.
     x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-CLIENT-PROJECT-ID@appspot.gserviceaccount.com"
+    # This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
+    x-google-audiences: "echo.endpoints.sample.google.com"
   # This section configures authentication using a service account
   # to sign a json web token. This is mostly used for server-to-server
   # communication.
@@ -145,9 +128,11 @@ securityDefinitions:
     flow: "implicit"
     type: "oauth2"
     # Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
-    x-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
+    x-google-issuer: "YOUR-SERVICE-ACCOUNT-EMAIL"
     # Replace YOUR-SERVICE-ACCOUNT-EMAIL with your service account email.
-    x-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
+    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/YOUR-SERVICE-ACCOUNT-EMAIL"
+    # This must match the "aud" field in the JWT. You can add multiple audiences to accept JWTs from multiple clients.
+    x-google-audiences: "echo.endpoints.sample.google.com"
   # This section configures authentication using Google OAuth2 ID Tokens.
   # ID Tokens can be obtained using OAuth2 clients, and can be used to access
   # your API on behalf of a particular user.
@@ -157,10 +142,13 @@ securityDefinitions:
     type: "oauth2"
     x-google-issuer: "accounts.google.com"
     x-google-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
+    # Your OAuth2 client's Client ID must be added here. You can add multiple client IDs to accept tokens form multiple clients.
+    x-google-audiences: "YOUR-CLIENT-ID"
   # This section configures authentication using Firebase Auth.
   firebase:
     authorizationUrl: ""
     flow: "implicit"
     type: "oauth2"
     x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
     x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+    x-google-audiences: "YOUR-PROJECT-ID"
